Project

General

Profile

Actions
Copy link

Feature #8480

open
VJ

firewall: allow specifying multiple actions

Feature #8480: firewall: allow specifying multiple actions

Added by Victor Julien 2 days ago. Updated 1 day ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Currently a rule that should accept and log, should do something like

accept:packet ... (alert; ...)

It would be clearer if the actions are grouped together in the "action" field.

E.g. something like

accept,log:packet

Some other options:
{accept,log}:packet
accept:flow,log:packet
(accept|alert):packet

Not sure which syntax makes most sense. One thing to consider is if an action like accept is applied to the flow, should alert (or log) also be applied to the flow? Or just trigger once?

Related issues 3 (3 open0 closed)

Related to Suricata - Feature #8479: eve/firewall: dedicated log record typeNewActions
Related to Suricata - Feature #7701: firewall: configurable default policiesFeedbackVictor JulienActions
Related to Suricata - Bug #8444: firewall: accept:flow at app-layer hook bypasses app:td (IDS/IPS) evaluationNewActions

VJ Updated by Victor Julien 2 days ago Actions
Copy link
 #1

  • Related to Feature #8479: eve/firewall: dedicated log record type added
  • Related to Feature #7701: firewall: configurable default policies added

VJ Updated by Victor Julien 1 day ago Actions
Copy link
 #2

This could turn the ideas of accept:pass_flow into a bit cleaner solution, I think. accept,pass:flow would apply accept and pass to the flow. This would keep actions and scope more cleanly defined.

JI Updated by Jason Ish about 11 hours ago Actions
Copy link
 #3

  • Related to Bug #8444: firewall: accept:flow at app-layer hook bypasses app:td (IDS/IPS) evaluation added
Actions
Copy link

Also available in: PDF Atom